Menu Close

Testing Cloud services

Since we advocate testing your IT services and devices, what if your organization has cloud services?

How about Amazon EC2?  AWS compliance  keep this in mind.

It is as Amazon AWS(Amazon Web Services) says it is a shared responsibility.

Rackspace has a security page – Rackspace Security   rackspace says it is a shared responsibility as well.

There are different cloud providers with specific missions and infrastructure services.

Serversincage

Let’s say you need PCI compliance completed for your website. That is on a cloud provider.

Rackspace has scanning rootkits among other links in a search.

As a computer professional in the Security field, one cannot just scan or perform penetration tests on any computer on the Internet, in fact we must get written approval to perform a scan on a computer.

Why? How about this example:

Internet Storm Center example

“However, their implementation of SSL is fragile enough that scanning them for the Heartbleed vulnerability will render them inoperable.  This affects Proliants from G1 all the way up to G6, as well as many of the HP Bladesystems.”

So when scanning for heartbleed on HP Proliant hardware iLO cards have a problem:

An iLO card allows a specific system administration remote ability:

“Before using an ILO card you must plug an Ethernet cable in to the server’s ILO Ethernet jack. Once the ILO card is connected to the Internet, you must set up an ILO user account and IP network address in the server’s BIOS menu”

This capability of the iLO card has a drawback, its software actually caused the server to crash, with a hard boot to recover (must press the power button). This side effect of a heartbleed scan is a disaster to many cloud providers. As a reboot of a hypervisor server may cause a loss of service in 10-30 minutes or more if the system has to be manually reset in some way by a technician.
All Certified Ethical Hackers must be aware of the problems  that can arise.
we must test for compliance and to uncover vulnerabilities, but it must be done in a way that does not affect services if at all possible.

 

 

Leave a Reply